The Internet is becoming a more and more complex system with an ever increasing number of users, and an increasing heterogeneity of devices, applications, hardware and software platforms and with distributed administration. In this context, companies using the Internet increase in multitude and some seem to be very hard to get hold of. Spam mail is becoming a problem for Internet users, except for the ones who produce this. A massive daily amount of spam traffic is annoying Internet service providers (ISPs) and end-users. Internet service providers are getting black-listed because some entities register them as originators of spam, which is in many cases not true. Another example of problems of current Internet is the distribution of illegal material over the Internet. Yet another example is the many P2P applications like file-sharing applications that are illegal. The movie and music industry is heavily suffering from these applications. Up to now, it is very hard or even impossible to identify and track down the people or organizations causing these problems.
An important task of network devices is to forward and distribute data as, for example, performed by routers and switches. Network devices are often designed to export information on the network traffic they process. Such information can, for example, be used for billing purposes or to monitor traffic for load balancing or to detect malicious traffic, e.g. a denial of service attack.
A commonly used level for presenting information on network traffic that allows a deeper and more sophisticated analysis of the network traffic is based on network flows. A network flow may be defined as a set of data packets passing an observation point in the network during a given time interval. All data packets belonging to a particular network flow have a set of common properties. Each property is defined as the result of applying a function to the values of one or more parts of the data packets. A commonly used data format in which network flow information can be exported is defined by Cisco's proprietary network flow profiling system, Net flow, as, for example, described in the manual, “Cisco IOS Release 12.0(5)T”. An open, general and flexible standard called IPFIX (Internet Protocol Network flow Information eXport) is currently being standardized by an “IETF” (Internet Engineering Task Force) work group. The current status of this standardization is available under the title, “Architecture For IP Network flow Information Export Draft-IETF-IPFIX-Architecture-09” since Aug. 15, 2005 and was printed out on Jan. 14, 2006 and is available under “http://www.IETF.org/Internet-Drafts/Draft-IETF-IPFIX-architecture-09.txt”. Cliff Z. Zou, Weibo Gong, Don Towsley and Lixin Gao disclose in the publication, “Monitoring And Early Detection For Internet Worms”, IEEE Trans. Networking, vol 13, no 5, October 2005, previously published in the Proceedings of the ACM Conference on Computer and Communication Security, 2003, techniques for monitoring and detecting Internet worms. An exponential model Kalman filter is used for early detection. The disclosure is restricted to a localized approach.
The Internet publication, “Resource provision and using a clearing house architecture” by C. N. Chuah, L. Subramanian, R. H. Katz and A. D. Joseph, available in the Internet under http://www.ece.ucdavis.edu/˜chuah/research/CHabstract.html, printed out on Mar. 23, 2004, and also published at the conference IWQoS 2000, discloses a clearing house that attempts to provide a better quality of service assurance and higher network utilization as offered by stateful networks, while maintaining the scalability of a stateless network architecture. Various clearing house notes keep track of the intra- and inter-domain traffic patterns and adapt aggregate reservations dynamically based on “Gaussian traffic predictors”. The clearing house architecture proposed in this paper can inter-operate with MPLS, OSPF and queuing mechanisms like Core-Stateless Fair Queuing (CSFQ). The clearing houses may be used to provide an Internet service provider for VPN or VoIP traffic and to achieve better quality of the service assurance across multiple domains.
The Department of Information Technology of the Ministry of Communications and IT of India has set up CERT-IN. Information about CERT-IN is available in the Internet under http://www.cert-in.org. The purpose of CERT-IN is to become the Indian nation's most trusted referral agency of the Indian community for responding to computer security incidents as and when they occur. CERT-IN also assists members of the Indian community in implementing pro-active measures to reduce the risks of computer security incidents. Its functions are a central point for reporting Internet incidents, providing a database of incidents, performing analysis of trends and patterns of intruder activities, incident tracing, vulnerability analysis and issuance of alerts, and profiling attackers. The incident tracing feature of CERT-IN is merely a reactive system.
The Internet publication “QoS Provisioning Using a Clearing House Architecture”, available in the Internet under http://www.ece.ucdavis edu/˜chuah/paper/clearinghouse.pdf, from ChenNee Chuah discloses to perform network flow aggregation for reservations and policing, hierarchical control for inter-domain reservations and traffic-matrix based admission control which should lead to a better quality of service by leveraging knowledge of global demand distributions. It discloses to implement clearing house nodes as resource managers. The clearing house functionalities are to monitor network performance, estimate traffic demand distributions and to coordinate traffic pulsing for detecting misbehaving network flows. A clearing house node has to be associated with each logical domain. It, amongst other, performs group policing for malicious network flow detection.
It is, therefore, a challenge to provide a method for operating a trusted entity, which enables a more effective analysis of malicious network flow. It is a further challenge to provide a trusted entity, which enables a more effective analysis of malicious network flow. It is a further challenge to provide a computer program, which enables a more effective analysis of malicious network flow.